Vulnerabilities > CVE-2019-6656 - Information Exposure Through Log Files vulnerability in F5 products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

CWE-532

nessus

NVD

Published: 2019-09-25

Updated: 2023-11-07

Summary

BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705) logs the full apm session ID in the log files. Vulnerable versions of the client are bundled with BIG-IP APM versions 15.0.0-15.0.1, 14,1.0-14.1.0.6, 14.0.0-14.0.0.4, 13.0.0-13.1.1.5, 12.1.0-12.1.5, and 11.5.1-11.6.5. In BIG-IP APM 13.1.0 and later, the APM Clients components can be updated independently from BIG-IP software. Client version 7.1.8 (7180.2019.508.705) and later has the fix.

Vulnerable Configurations

Part	Description	Count
Application	F5 F5 BIG IP Access Policy Manager 14.0.0 F5 BIG IP Access Policy Manager 14.0.0.2 F5 BIG IP Access Policy Manager 14.0.0.3 F5 BIG IP Access Policy Manager 14.0.0.4 F5 BIG IP Access Policy Manager 12.1.0 F5 BIG IP Access Policy Manager 12.1.1 F5 BIG IP Access Policy Manager 12.1.2 F5 BIG IP Access Policy Manager 12.1.3 F5 BIG IP Access Policy Manager 12.1.3.1 F5 BIG IP Access Policy Manager 12.1.3.2 F5 BIG IP Access Policy Manager 12.1.3.3 F5 BIG IP Access Policy Manager 12.1.3.4 F5 BIG IP Access Policy Manager 12.1.3.5 F5 BIG IP Access Policy Manager 12.1.3.6 F5 BIG IP Access Policy Manager 12.1.3.7 F5 BIG IP Access Policy Manager 12.1.4 F5 BIG IP Access Policy Manager 12.1.4.1 F5 BIG IP Access Policy Manager 12.1.4.1.0.97.6 F5 BIG IP Access Policy Manager 12.1.4.2 F5 BIG IP Access Policy Manager 12.1.5 F5 BIG IP Access Policy Manager 15.0.0 F5 BIG IP Access Policy Manager 15.0.1 F5 BIG IP Access Policy Manager 14.1.0 F5 BIG IP Access Policy Manager 14.1.0.1 F5 BIG IP Access Policy Manager 14.1.0.2 F5 BIG IP Access Policy Manager 14.1.0.2.0.45.4 F5 BIG IP Access Policy Manager 14.1.0.2.0.62.4 F5 BIG IP Access Policy Manager 14.1.0.3 F5 BIG IP Access Policy Manager 14.1.0.3.0.79.6 F5 BIG IP Access Policy Manager 14.1.0.3.0.97.6 F5 BIG IP Access Policy Manager 14.1.0.3.0.99.6 F5 BIG IP Access Policy Manager 14.1.0.5 F5 BIG IP Access Policy Manager 14.1.0.5.0.15.5 F5 BIG IP Access Policy Manager 14.1.0.5.0.36.5 F5 BIG IP Access Policy Manager 14.1.0.5.0.40.5 F5 BIG IP Access Policy Manager 14.1.0.6 F5 BIG IP Access Policy Manager 14.1.0.6.0.11.9 F5 BIG IP Access Policy Manager 14.1.0.6.0.14.9 F5 BIG IP Access Policy Manager 14.1.0.6.0.68.9 F5 BIG IP Access Policy Manager 14.1.0.6.0.70.9 F5 BIG IP Access Policy Manager 14.1.2 F5 BIG IP Access Policy Manager 13.1.2 F5 BIG IP Access Policy Manager 11.5.2 F5 BIG IP Access Policy Manager 11.5.3 F5 BIG IP Access Policy Manager 11.5.4 F5 BIG IP Access Policy Manager 11.5.4.1 F5 BIG IP Access Policy Manager 11.5.4.2 F5 BIG IP Access Policy Manager 11.5.4.2.74.291 F5 BIG IP Access Policy Manager 11.5.4.3 F5 BIG IP Access Policy Manager 11.5.4.4 F5 BIG IP Access Policy Manager 11.5.5 F5 BIG IP Access Policy Manager 11.5.6 F5 BIG IP Access Policy Manager 11.5.7 F5 BIG IP Access Policy Manager 11.5.8 F5 BIG IP Access Policy Manager 11.5.9 F5 BIG IP Access Policy Manager 11.5.10 F5 BIG IP Access Policy Manager 11.6.0 F5 BIG IP Access Policy Manager 11.6.1 F5 BIG IP Access Policy Manager 11.6.2 F5 BIG IP Access Policy Manager 11.6.3 F5 BIG IP Access Policy Manager 11.6.3.1 F5 BIG IP Access Policy Manager 11.6.3.2 F5 BIG IP Access Policy Manager 11.6.3.3 F5 BIG IP Access Policy Manager 11.6.3.4 F5 BIG IP Access Policy Manager 11.6.4 F5 BIG IP Access Policy Manager 11.6.5 F5 BIG IP Access Policy Manager Client 7.1.5 F5 BIG IP Access Policy Manager Client 7.1.6 F5 BIG IP Access Policy Manager Client 7.1.6.1 F5 BIG IP Access Policy Manager Client 7.1.7 F5 BIG IP Access Policy Manager Client 7.1.8	79

Common Weakness Enumeration (CWE)

CWE-532 - Information Exposure Through Log Files

Common Attack Pattern Enumeration and Classification (CAPEC)

Fuzzing and observing application log data/errors for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Nessus

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL23876153.NASL
description	BIG-IP APM Edge Client logs the full BIG-IP APM session ID in the log files.(CVE-2019-6656) Impact This vulnerability may allow unauthorized disclosure of the BIG-IP APM session ID and expose sensitive information to the userof the client device.
last seen	2020-03-17
modified	2019-09-25
plugin id	129309
published	2019-09-25
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/129309
title	F5 Networks BIG-IP : BIG-IP APM Edge Client logging vulnerability (K23876153)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from F5 Networks BIG-IP Solution K23876153. # # The text description of this plugin is (C) F5 Networks. # include("compat.inc"); if (description) { script_id(129309); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09"); script_cve_id("CVE-2019-6656"); script_name(english:"F5 Networks BIG-IP : BIG-IP APM Edge Client logging vulnerability (K23876153)"); script_summary(english:"Checks the BIG-IP version."); script_set_attribute( attribute:"synopsis", value:"The remote device is missing a vendor-supplied security patch." ); script_set_attribute( attribute:"description", value: "BIG-IP APM Edge Client logs the full BIG-IP APM session ID in the log files.(CVE-2019-6656) Impact This vulnerability may allow unauthorized disclosure of the BIG-IP APM session ID and expose sensitive information to the userof the client device." ); script_set_attribute( attribute:"see_also", value:"https://support.f5.com/csp/article/K23876153" ); script_set_attribute( attribute:"solution", value: "Upgrade to one of the non-vulnerable versions listed in the F5 Solution K23876153." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager"); script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/09/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/25"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"F5 Networks Local Security Checks"); script_dependencies("f5_bigip_detect.nbin"); script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version"); exit(0); } include("f5_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); version = get_kb_item("Host/BIG-IP/version"); if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP"); if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix"); if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules"); sol = "K23876153"; vmatrix = make_array(); # APM vmatrix["APM"] = make_array(); vmatrix["APM"]["affected" ] = make_list("15.0.0-15.0.1","14.1.0","14.0.0","13.1.0-13.1.1","12.1.0-12.1.5","11.5.2-11.6.5"); vmatrix["APM"]["unaffected"] = make_list("15.1.0","15.0.1.1","14.1.2","14.0.0.5","13.1.3","12.1.5.1"); if (bigip_is_affected(vmatrix:vmatrix, sol:sol)) { if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get()); else security_warning(0); exit(0); } else { tested = bigip_get_tested_modules(); audit_extra = "For BIG-IP module(s) " + tested + ","; if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version); else audit(AUDIT_HOST_NOT, "running the affected module APM"); }

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References